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Abstract 

We  consider  the  problem  of  proof  search  in  an  expressive  authorization  logic  that  con¬ 
tains  a  “says”  modality  and  an  ordering  on  principals.  After  a  description  of  the  proof 
system  for  the  logic,  we  identify  two  fragments  that  admit  complete  goal-directed  and 
saturating  proof  search  strategies.  A  smaller  fragment  is  then  presented,  which  supports 
both  goal-directed  and  saturating  search,  and  has  a  sound  and  complete  translation  to 
first-order  logic.  We  conclude  with  a  brief  description  of  our  implementation  of  goal- 
directed  search. 
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1  Introduction 


In  the  recent  past,  the  use  of  logic  to  represent,  enforce,  and  reason  about  access  control 
policies  has  grown  significantly.  Several  systems  and  programming  languages  have  been 
proposed  that  express  policies  as  logical  theories,  and  allow  or  deny  access  depending 
on  the  provability  of  specific  formulas  (e.g.,  [8-10,  21,  27,  35,  37,  53]).  In  all  these 
applications  efficient  methods  of  proof  search  are  required.  When  human  intervention  is 
not  possible  or  undesirable  the  methods  need  to  be  automated.  In  this  paper  we  develop 
the  theory  of  logic  programming  in  a  logic  designed  for  expressing  access  control  policies 
(such  logics  are  generically  called  authorization  logics  here).  Our  primary  motivation 
is  to  study  the  theoretical  foundations  of  proof  search  in  the  context  of  access  control. 
The  issue  of  theoretical  foundations  has  been  ignored  by  prior  work  in  the  area,  most 
of  which  is  guided  by  concerns  like  minimizing  network  usage  and  human  interaction 
during  distributed  proof  search  [10,  11,  22,  41].  We  consider  logic  programming  instead 
of  full  theorem  proving  since  logic  programming  can  be  implemented  efficiently.  Existing 
work  on  policy  languages  already  shows  that  most,  if  not  all,  policies  of  practical  interest 
fit  nicely  into  the  logic  programming  paradigm. 

Logic  programming  with  authorization  logics  is  non-trivial  due  to  the  inclusion  of  a 
family  of  modalities,  commonly  written  k  says  s  [3-5,  8,  9,  17,  24,  30,  31,  33].  k  says  s 
means  that  principal  k  states  or  believes  formula  s  and  is  used  to  distinguish  statements 
of  different  principals.  While  the  modality  makes  it  easier  to  express  decentralized 
policies,  it  significantly  increases  the  complexity  of  proof  search.  Further,  there  is  a 
trade-off  between  choosing  a  proof-theoretic  interpretation  of  k  says  s  that  is  useful  for 
expressing  for  practical  policies,  and  one  that  is  amenable  to  proof  search,  especially 
through  logic  programming. 

Based  on  these  considerations,  we  introduce  a  new  authorization  logic,  BLq,  that 
is  not  only  expressive  but  also  well  suited  to  logic  programming.  After  describing  its 
proof  system  and  commenting  briefly  on  its  expressiveness,  we  examine  two  different 
strategies  for  finding  proofs  in  it:  (a)  Goal-directed  search  (backward  chaining),  which 
is  often  efficient  for  finding  large  proofs  of  authorization  one  at  a  time,  and  (b)  Saturating 
search  (forward  chaining),  which  is  useful  for  determining  all  possible  permissions  that 
follow  from  a  policy.  For  each  of  the  two  search  strategies,  we  identify  a  fragment  of 
BLq  on  which  the  strategy  is  complete  with  respect  to  the  logic’s  proof  system.  We 
then  identify  a  third  fragment  to  which  both  strategies  apply  (via  a  translation).  We 
also  present  a  complete  translation  from  this  third  fragment  to  first-order  intuitionistic 
logic,  thus  opening  the  possibility  of  using  existing  theorem  provers  for  BLq.  A  minor 
contribution  of  this  paper  is  a  justification  for  the  semantics  of  the  policy  language 
Binder  [23] ,  and  a  formalization  of  its  connection  to  a  related  language  Soutei  [49] . 

Before  proceeding  to  the  technical  material,  we  would  like  to  clarify  the  scope  of 
this  work  and  its  broad  context.  This  work  should  be  distinguished  from  policy  lan¬ 
guages  and  trust  management  systems  that  have  implementations  based  on  ideas  from 
or  translations  to  logic  programs  [12,  13,  23,  36,  38-40,  49].  Despite  their  importance 
in  practice,  the  inference  rules  of  these  frameworks  lack  an  internal  justification  that  is 
readily  available  in  a  logic  in  the  form  of  meta-theoretic  principles  like  cut-elimination. 
One  goal  of  this  paper  is  to  combine  such  meta-theoretic  foundations  with  efficient 
implementations  in  an  authorization  logic. 
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BLq  is  a  simplification  of  a  larger  logic  BL,  which  includes  support  for  explicit 
time  [24],  constraints,  and  system  state,  all  of  which  BLq  lacks.  Owing  to  the  addi¬ 
tional  complexity,  logic  programming  in  BL  is  even  harder  than  it  is  in  BLq,  and  an 
attempt  to  extend  the  results  of  this  paper  to  the  full  logic  is  currently  underway.  The 
board  goal  of  this  project  is  to  use  BL  for  expressing  and  enforcing  access  policies  in  our 
implementation  of  a  file  system  based  on  proof-carrying  authorization  [8-10].  For  this 
application,  we  have  already  implemented  the  goal-directed  search  strategy  described  in 
this  paper  in  a  user  tool  that  is  available  online  [28] .  In  addition  to  the  file  system,  we 
also  intend  to  use  BL  in  a  type  system  and  a  compiler  that  translates  policies  expressed 
in  BL  to  file  system  permissions.  For  the  latter,  we  expect  that  saturating  search  may 
be  the  best  choice. 

Organization.  The  rest  of  this  paper  is  organized  as  follows.  After  discussing  closely 
related  work,  we  introduce  the  logic  BLq,  its  sequent  calculus,  and  some  meta-theorems 
including  cut-elimination  (Section  2).  In  Sections  3  and  4  we  discuss  goal-directed  search 
and  saturating  search  respectively,  and  identify  fragments  of  BLq  over  which  the  two 
search  strategies  are  complete.  Section  5  introduces  the  third  fragment  that  allows  both 
forms  of  search,  and  presents  its  translation  to  first-order  logic.  Section  6  discusses 
some  open  issues  and  briefly  comments  on  our  implementation  of  goal-directed  search. 
Section  7  concludes  the  paper. 

Related  Work.  Perhaps  most  closely  related  to  our  work  in  spirit  are  the  policy 
languages  Binder  and  Soutei  [23,  49],  whose  says  modality  and  search  strategies  were 
the  inspiration  for  this  work.  (The  name  BL  stands  for  Binder  Logic  as  a  tribute  to 
the  inspiration.)  However,  we  should  carefully  observe  the  distinction  here:  Binder  and 
Soutei  are  domain  specific  languages  whose  rules  have  no  particular  logical  justification 
whereas  BLq  is  a  logic.  We  do  show  in  Section  5  that  both  Binder  and  Soutei  are  closely 
related  to  a  fragment  of  BLq.  Along  the  same  lines,  there  are  several  other  policy 
languages  and  trust  management  systems  that  implement  or  admit  search  procedures, 
often  by  translation  to  logic  programs  (e.g.,  [12-16,  32,  36,  38-40]). 

Also  related  is  work  on  construction  of  proofs  for  access  when  credentials  are  dis¬ 
tributed  on  a  network  [10,  11,  22,  41].  Our  setting  is  quite  different.  We  assume  local 
access  to  credentials  so  that  issues  like  credential  chain  discovery  and  minimizing  net¬ 
work  usage  are  irrelevant  to  our  cause.  On  the  other  hand,  we  expect  to  work  with 
large  policies  and  use  proof  construction  for  system  interfaces,  so  we  need  to  address 
the  problem  of  constructing  proofs  very  fast  (at  the  order  of  milliseconds). 

BLq  is  one  of  many  authorization  logics  [3-5,  8,  9,  17,  24,  30,  31,  33]  (see  [2]  for 
a  survey)  but  its  says  modality  is  different  from  that  in  any  of  the  these  logics.  BLq’s 
says  modality  is  based  on  the  necessitation  modality  of  the  modal  logic  CS4  [6,  46].  The 
sequent  calculus  for  BLq  draws  on  ideas  from  a  judgmental  presentation  of  CS4  due 
to  Pfenning  and  Davies  [46].  An  earlier  paper  by  the  author  formalizes  the  connection 
between  BLq  and  CS4  ([29];  Section  5.5). 

There  is  a  large  body  of  work  on  logic  programming  with  modalities  (see  [44]  for 
a  survey  of  the  area).  However,  our  work  is  not  directly  related  to  any  of  these.  In¬ 
stead,  our  treatment  of  goal-directed  search  extends  prior  work  on  uniform  proofs  for 
first-order  logic  [43]  and  draws  on  ideas  from  the  linear  logic  programming  language 
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Lolli  [34],  BLq’s  saturating  search  is  motivated  by  Datalog  (see  e.g.,  [18]),  the  Concur¬ 
rent  Logical  Framework  [52]  and  the  logic  programming  language  LolliMon  [42].  Both 
search  principles  are  related  to  and  build  upon  the  general  principle  of  focusing  [7].  Our 
proof  techniques  are  based  on  a  lot  of  earlier  work  that  is  cited  throughout  the  paper. 


2  BLq:  An  Authorization  Logic 


BLq  extends  first-order  intuitionistic  logic  with  a  modality  k  says  s,  which  means  that 
principal  k  states,  claims,  or  believes  that  formula  s  is  true.  Predicates  P  express 
relations  between  terms  that  are  either  ground  constants  a,  bound  variables  x,  or  appli¬ 
cations  of  uninterpreted  function  symbols  /  to  ground  terms.  Terms  are  classified  into 
sorts  a  (sometimes  called  types).  We  stipulate  at  least  one  sort  principal  whose  elements 
are  represented  by  the  letter  k.  We  also  assume  a  preorder  on  ground  principals  k  P  k', 
read  k  is  stronger  than  k' ,  with  a  distinguished  strongest  element  i  {i  P  k  for  every  k). 
i  represents  the  “local  authority”  at  the  point  of  access  [1].  Formulas  s  may  either  be 
atomic  (p,  q)  or  they  may  be  constructed  using  the  usual  connectives  of  predicate  logic 
and  the  special  connective  k  says  s. 


Sorts 

a 

::=  principal 

Terms 

t,  k,  i 

::=  a  1  X  1  f{ti, . . . , 

Predicates 

P 

Atoms 

p,q 

::=  P{ti,...,tn) 

Formulas 

r,  s 

::=  p  r  A  s  r  V  s 

tn)  1  (■ 

j  r  D  s  j  T  j  _L  j  \/x:a.s  \  3x:cr.s  j  k  says  s 


Axiomatic  proof  system.  The  primary  proof  system  that  we  need  for  proof  search 
is  a  sequent  calculus.  However  before  presenting  that,  we  briefly  describe  an  axiomatic 
proof  system  for  BLq.  This  proof  system  is  obtained  by  extending  any  axiomatization 
of  first-order  intuitionistic  logic  with  the  following  axioms  and  rules  for  says. 

h  s 

h  k  says  s 

h  {k  says  (si  D  S2))  ^  {{k  says  si)  D  {k  says  S2)) 
h  {k  says  s)  D  k'  says  k  says  s 
h  k  says  {{k  says  s)  D  s) 
h  {k'  says  s)  D  k  says  s  if  {k'  P  k) 

Rule  (N)  means  that  each  principal  states  at  least  all  tautologies.  Axiom  (K)  means 
that  the  statements  of  each  principal  are  closed  under  implication.  Together  they  imply 
that  each  {k  says  •)  is  a  normal  modality  (see  e.g.,  [26]).  Axiom  (I)  was  first  suggested 
in  the  context  of  access  control  by  Abadi  [2] .  It  means  that  statements  of  any  principal 
k  can  be  injected  into  the  belief  system  of  any  another  principal.  Axiom  (C)  or  conceit 
states  that  every  principal  k  believes  that  each  of  its  statements  is  true.  (S)  means 
that  statements  of  each  principal  are  believed  by  all  weaker  principals.  In  particular, 
{i  says  s)  D  k  says  s  for  each  k  and  s. 

This  choice  of  axioms  for  says  is  quite  different  from  any  of  the  existing  authorization 
logics,  and  has  been  developed  to  make  logic  programming  simpler. 


(N) 

(K) 

(I) 

(C) 

(S) 
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Common  policies: 

admin  says  Vfc,  fc',  /. 

(1)  (((hr  says  employee(fc))  A  (hasLevelForFile(fc,  /))  A 

(system  says  owns(fc',  f)){k'  says  may(read,  k,  /)))  D  may(read,  k,  /)) 
admin  says  V/c,  /,  I,  V . 

(2)  (((system  says  levelFile(/,  1))  A  (hr  says  levelPrin(fc,  I'))  A 

(below(^,  I')))  D  hasLevelForFile(fc,  /)) 

(3)  £  says  below(confidential,  secret) 

(4)  £  says  below(secret,  topsecret) 

(5)  £  says  below(confidential,  topsecret) 

Additional  policies  for  example  scenario: 

(6)  system  says  levelFile(secret.txt,  secret) 

(7)  system  says  owns(Alice,  secret.txt) 

(8)  hr  says  employee(Bob) 

(9)  hr  says  levelPrin(Bob,  topsecret) 

(10)  Alice  says  may(read,  Bob,  secret.txt) 

Figure  1:  Simplified  policies  for  control  of  classified  information 

Expressiveness.  Besides  being  well-suited  to  logic  programming,  BLq  is  also  quite 
expressive.  Although  there  is  no  quantitative  metric  to  measure  the  expressiveness  of 
an  authorization  logic,  we  list  below  two  connections  between  existing  authorization 
frameworks  and  BLq,  that  we  believe  are  sufficient  to  establish  the  usefulness  of  BLq  as 
a  logic  for  writing  access  policies. 

-  Authorization  logics  that  interpret  says  as  a  monad,  referred  to  by  many  different 
names  including  CDD  and  ICL  [3,  30,  31],  can  be  translated  in  a  sound  and  com¬ 
plete  manner  to  BLq.  (See  an  earlier  paper  for  details  [29].)  These  authorization 
logics  have  been  used  in  many  applications,  including  type  systems  [27,  35,  37]. 

-  The  policy  language  Binder  [23]  is  closely  related  to  a  small  fragment  of  BLq  and 
another  policy  language,  Soutei  [49],  is  a  subset  of  it  (see  Section  5  for  details).  As 
a  result  any  policies  expressible  in  these  languages  can  be  written  in  BLq.  Soutei 
has  been  deployed  in  at  least  one  large  application:  a  publish-subscribe  web  service 
with  distributed  and  compartmentalized  administration. 

We  have  also  completed  a  significant  case  study  that  uses  BLq  to  formalize  policies  for 
control  and  dissemination  of  classified  information  in  USA.  This  case  study  is  available 
online  [28] .  We  introduce  here  a  simplified  fragment  of  this  case  study  that  we  use  as  a 
running  example  in  this  paper. 

Example  1.  Consider  a  hypothetical  intelligence  agency  where  each  file  and  each  in¬ 
dividual  is  assumed  to  have  a  classification  level,  which  is  an  element  of  the  ordered 
set  confidential  <  secret  <  topsecret.  Access  control  for  files  uses  three  distinguished 
principals:  admin  who  makes  final  decisions  on  granting  access,  system  who  is  respon¬ 
sible  for  governing  files  (e.g.,  setting  their  ownership  and  classification  levels),  and  hr 
who  is  responsible  for  governing  individuals  (e.g.,  giving  them  classification  levels  and 
employment  certifications).  Figure  1  shows  the  policies  that  control  access  (numbered 
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(l)-(5))  as  well  as  some  additional  assumptions  needed  to  get  access  in  a  specific  case 
(numbered  (6)-(10)). 

In  order  that  principal  k  may  read  file  /,  the  following  formula  must  be  established 
from  the  policies  in  effect:  admin  says  may ( read,  fc, /).  This  is  possible  if  k  is  an  em¬ 
ployee  of  the  intelligence  organization  (predicate  employee (fc)),  k  has  a  classification 
level  above  the  file  (predicate  hasLevelForFile(fc, /)),  and  k  gets  permission  from  the 
owner  of  the  file.  This  is  captured  in  policy  (1)  which  is  created  by  admin.  For  read¬ 
ability,  we  omit  all  sort  annotations  from  quantifiers.  Policy  (2)  defines  the  predicate 
hasLevelForFile(/c, /)  further  in  terms  of  classification  levels  of  k  and  /  (predicates 
levelPrin(A:,  Z)  and  levelFile(/,  Z)  respectively).  The  predicate  below(Z,Z^)  captures 
the  order  Z  <  Z^  between  classification  levels  (policies  (3)“(5)).  Since  we  assume  that  all 
principals  believe  this  order,  policies  (3)-(5)  are  stated  by  the  strongest  principal  i. 

As  an  illustration  of  the  use  of  these  policies,  let  us  assume  that  file  secret.txt  owned 
by  Alice  is  classified  at  the  level  secret.  Suppose  that  Bob  is  an  employee  cleared  at 
level  topsecret  ,  and  further  that  Alice  wants  to  let  Bob  read  file  secret.txt.  We  may 
capture  this  information  in  formulas  (6)-(10).  Then  it  is  easy  to  see  that  (I)-(IO)  entail 
admin  says  may(read,  Bob,  secret.txt)  using  the  axioms  of  BLq.  The  non-standard  axioms 
(I)  and  (S)  play  a  significant  role  in  this  derivation. 

In  practice,  the  assumptions  or  policies  (I)-(IO)  would  be  established  using  digitally 
signed  certificates,  signers  being  the  principals  who  state  the  respective  policies.  For 
example,  the  certificate  establishing  assumption  (1)  would  be  signed  by  admin.  The  proof 
which  shows  that  (I)-(IO)  establish  admin  says  may(read,  Bob,  secret.txt)  can  be  used  as 
evidence  that  Bob  has  legitimate  access  to  secret.txt.  Depending  on  the  mechanism 
of  policy  enforcement,  this  proof  may  either  be  checked  by  a  reference  monitor  prior 
to  access  as  in  proof-carrying  authorization  [8,  9],  or  it  may  be  logged  for  subsequent 
audit  [51],  or  it  may  be  compiled  to  lower  level  permissions. 


2.1  Sequent  Calculus 

Next,  we  develop  a  sequent  calculus  for  BLq,  which  we  later  use  as  the  basis  for  proof 
search.  We  follow  the  judgmental  method  [19,  46],  introducing  a  separate  category  of 
judgments  that  are  established  by  deductions.  For  BLq,  we  need  two  judgments:  s  true 
meaning  that  formula  s  is  provable  in  the  current  context,  and  k  claims  s  meaning  that 
principal  k  believes  that  s  must  be  the  case,  {k  claims  s)  is  logically  equivalent  to 
{k  says  s)  true.  We  often  abbreviate  s  true  to  s.  Using  the  judgmental  method  makes 
the  technical  development  easier,  especially  the  proof  of  cut-elimination. 


Judgments  J 
Sorting  S 
Hypotheses  F 

Sequent 


s  true  I  k  claims  s 


(X\  .(7\  .  .  .  Qj'fi.Cji 


J\  .  .  .  Jfi 

S;  F  s  true 


(n  >  0) 


k 

Sequents  in  BLq  have  the  form  S;  F  — >  s  true.  S  is  a  map  from  term  constants  occurring 
in  the  sequent  to  their  sorts,  and  F  is  the  set  of  assumed  judgments  (hypotheses).  The 
novelty  here  is  the  principal  k  on  the  sequent  symbol,  which  we  call  the  context  of  the 


5 


sequent.^  The  context  represents  the  principal  relative  to  whose  beliefs  the  reasoning 
is  being  performed.  It  affects  provability  in  the  following  manner:  while  reasoning  in 
context  k,  an  assumption  of  the  form  k'  claims  s  entails  s  true  \i  k'  k  (in  particular, 
k  claims  s  entails  s  true).  This  entailment  does  not  hold  in  general. 

The  rules  of  our  sequent  calculus  are  summarized  in  Figure  2.  As  usual,  we  have 
left  and  right  rules  for  each  connective.  For  common  connectives,  the  rules  resemble 
those  in  intuitionistic  logic,  with  the  exception  of  the  associated  context,  which  remains 
unchanged.  The  judgment  S  h  t:a  means  that  the  term  t  has  sort  a.  We  restrict  the 

(init)  rule  to  atomic  formulas  only.  This  is  merely  a  technical  convenience  because  we 

k 

prove  later  that  S;  F,  s  — »  s  for  arbitrary  s.  Rule  (claims)  enforces  the  meaning  of 
contexts  as  described  above  by  allowing  k  claims  s  on  the  left  to  be  promoted  to  s  if  the 
context  ko  is  weaker  than  k. 

(saysR)  is  the  only  rule  which  changes  the  context  of  a  sequent.  The  notation  F|  in 
this  rule  denotes  the  subset  of  F  that  contains  exactly  the  claims  of  principals,  i.e.,  the 
set  {{k'  claims  s')  G  F}.  The  rule  means  that  k  says  s  is  true  in  any  context  ko  if  s  is 
true  in  context  k  using  only  claims  of  principals.  Truth  assumptions  in  F  are  eliminated 
in  the  premise  because  they  may  have  been  added  in  the  context  ko  (using  the  rules 
(claims)  and  (dR)),  but  may  not  hold  in  the  context  k.  The  left  rule  (saysL)  changes 
the  judgment  {k  says  s)  true  to  the  equivalent  judgment  k  claims  s. 

Meta-theory.  We  prove  two  important  meta-theorems  about  this  sequent  calculus: 
admissibility  of  the  cut  rule  and  the  identity  principle.  In  addition,  common  structural 
theorems  such  as  weakening  and  strengthening  of  hypotheses  are  also  provable,  but  we 
do  not  state  them  explicitly. 

k 

Theorem  2.1  (Identity).  S;F,s  — >  s  for  each  s. 

Proof.  By  induction  on  s.  □ 

Theorem  2.2  (Admissibility  of  cut).  The  following  hold 

1.  S;  F  s  and  S;  F,  s  r  imply  S;  F  r 

2.  B;  F|  s  and  B;  F,  k  claims  s  r  imply  B;  F  r 

Proof.  By  simultaneous  lexicographic  induction,  first  on  the  size  of  the  cut  formula,  and 
then  on  the  sizes  of  the  two  given  derivations,  as  in  [45].  □ 

Finally,  we  prove  an  equivalence  between  the  axiomatic  system  and  the  sequent 
calculus. 

k 

Theorem  2.3  (Equivalence).  Yi-,-—^sin  the  sequent  calculus  if  and  only  if\~k  says  s 
in  the  axiomatic  system. 

Proof.  The  “if”  direction  follows  by  a  direct  induction  on  axiomatic  proofs.  For  the 
“only  if”  direction,  we  generalize  the  statement  of  the  theorem  to  allow  non-empty 

^Often  in  literature,  context  is  used  to  refer  to  F.  However,  we  consistently  use  context  for  k  and 
hypotheses  for  F. 


6 


-init 


k  y  ko  S;  r,  fc  claims  s,  s  r 
- ^ - claims 

fco 


S;r| 


S;  r,  k  claims  s  — ^  r 


S;  r  k  says  s 

S;  r,  s  A  s',  s,s'  ^  r 
S;r,sAs'-^r 


S;  r,  k  says  s,  k  claims  s  r 
S;  r,  k  says  s  r 


saysL 


S;r-^s' 


S;  r  s  A  s' 


-AR 


-saysR 


AL 


S;r  A  s 

S;r  s  V  s' 


-V  Ri 


vn  ■p'  ^  / 

S;  r  — >  s 
I];r  s  V  s' 


-V  Ra 


S;  r,  s  V  s',  s  r  S;  F,  s  V  s',  s'  ^  r 
S;r,sVs'-^r 


V  L 


S;r  A  T 


-TR 


-±L 


S;r,±  Ar 

s  S;r,s  D  s',  s'  r 


S;r,sDs'  '=■  " 


S;r,s  D  s'  — >  r 


DL 


L;  i  ,  s  — >  5 
S;  r  s  D  s' 


DR 


S,  x:(t;  F  — >  s 


S;  F  Va;:c^.^ 


VR 


S;  F,  Va::cr.s,  s[i/x]  — >  r  S  h  i:c 
S;  F,  Vxicr.s  r 


■VL 


S;F-^s[t/a;]  S  h 
S;  F  3x:(t.s 


■3R 


S,  x:(t;  F,  3a;:CT.s,  s  — >  r 


S;  F,  3a;:cr.s  — >  r 


3L 


Figure  2:  BLq:  sequent  calculus 


k 

hypothesis:  if  S;r  — >  s,  then  h  k  says  (F  D  s).  Next,  we  generalize  the  axiomatic 
system  to  allow  hypothesis.  Finally,  we  induct  on  sequent  derivations  to  show  that 
they  can  be  simulated  in  the  generalized  axiomatic  system.  Although  tedious,  this  is 
approach  is  standard.  □ 

Using  the  sequent  calculus  we  can  prove  that  BLq  is  consistent  (A  cannot  be  derived), 
and  that  k  says  (s  A  r)  is  provably  equivalent  to  {k  says  s)  A  {k  says  r).  Similar 
distributive  properties  do  not  hold  for  other  connectives.  Also,  neither  s  nor  k  says  s 
implies  the  other  in  general. 

3  Goal-directed  Search  in  BLq 

We  now  turn  to  the  problem  of  proving  BLq  sequents  through  logic  programming.  Our 
broad  objective  is  to  identify  fragments  of  the  logic  on  which  we  can  describe  simple, 
complete  search  strategies  adhering  to  two  common  paradigms:  (1)  backward  chaining  or 
goal-directed  search,  the  method  used  in  Prolog,  and  (2)  forward  chaining  or  saturating 
search,  the  approach  used  in  Datalog.  Goal-directed  search  is  covered  in  this  section, 
whereas  saturating  search  is  described  in  the  next  section.  Before  proceeding  with 
technical  details,  we  make  three  important  observations. 
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First,  both  goal-directed  and  saturating  search  can  be  seen  as  instances  of  a  general 
technique  called  focusing  [7] .  Although  we  may  apply  this  technique  to  the  whole  logic, 
and  use  it  construct  a  generic  theorem  prover  for  BLq,  we  refrain  from  doing  so  here. 
Such  a  generic  tool  would  be  needlessly  complicated  and  possibly  slow  because  it  would 
have  to  cater  to  many  cases  that  may  never  arise  in  actual  policies. 

Second,  the  distinction  between  goal-directed  search  and  saturating  search  should 
not  be  confused  with  the  distinction  between  backwards  and  forwards  application  of  in¬ 
ference  rules  (the  latter  is  also  known  as  the  inverse  method) .  Both  techniques  described 
here  apply  inference  rules  backwards,  i.e.,  a  sequent  to  be  proved  is  matched  against 
the  conclusion  of  a  rule,  whose  premises  are  then  recursively  established.  The  difference 
between  goal-directed  search  and  saturating  search  arises  because  the  rules  used  in  the 
two  cases  are  different. 

Third,  for  some  applications  such  as  proof-carrying  authorization  [8,  9]  and  also 
sometimes  for  keeping  logs  of  access,  it  is  essential  to  construct  and  output  proof-terms. 
Adding  proof-terms  to  the  logic  programming  strategies  described  below  is  relatively 
straightforward,  and  even  though  our  implementation  produces  them,  we  do  not  describe 
them  here. 

Goal-directed  search.  The  term  goal  refers  to  the  formula  on  the  right  side  of  a 
sequent  to  be  proved.  Goal-directed  search,  in  the  sense  that  we  use  it  here,  is  char¬ 
acterized  by  two  principles:  (1)  Unless  a  goal  is  atomic,  it  is  immediately  decomposed 
using  the  right  rule  of  its  top  most  connective.  Proofs  constructed  in  this  manner  have 
previously  been  called  uniform  proofs  [43].  (2)  When  the  goal  is  atomic,  a  hypothesis 
that  can  potentially  prove  the  goal  is  chosen  (technically,  the  head  of  the  hypothesis 
must  match  the  goal),  decomposed  completely  using  left  rules,  producing  several  addi¬ 
tional  goals  to  be  proved,  which  are  then  established  recursively.  This  second  principle 
is  called  backward  chaining. 

Although  this  search  strategy  is  incomplete  for  the  whole  logic  (for  e.g.,  it  cannot 
k 

establish  S;sVr— >sVr),  there  are  fragments  of  the  logic  on  which  it  is  complete. 
We  describe  one  such  fragment  in  detail  below.  This  fragment  extends  the  so  called 
Hereditary-Harrop  (HH)  fragment  of  first  order  logic,  which  is  known  to  admit  a  com¬ 
plete  goal-directed  search  strategy  [43] .  We  show  that  its  extension  with  says  also  admits 
a  similar  strategy.  Although  non-trivial,  this  is  a  modular  extension  of  the  first-order 
case. 

Hereditary-Harrop  fragment  of  BLq.  The  syntax  of  the  Hereditary-Harrop  (HH) 
fragment  of  BLq  is  described  below.  Goals  g  may  contain  all  connectives.  Hypotheses  are 
divided  into  two  categories:  clauses  d  that  contain  only  negative  eonneetives  (d.  A,  T,  V), 
and  chunks  h  that  contain  positive  eonneetives  (says.  A,  V,  T,  T,  3).  The  left  sequent 
calculus  rules  of  positive  connectives  are  invertible,  i.e.,  they  can  be  eagerly  applied  in 
the  backwards  direction  without  retaining  the  principal  formula  in  the  premise  or  losing 
completeness.  The  left  rules  of  negative  connectives  are  not  invertible,  and  they  are 
applied  only  when  the  result  of  the  application  will  be  useful.  (A  is  a  special  connective 
-  its  left  rules  can  be  written  in  two  different  ways,  one  of  which  is  invertible,  and  the 
other  of  which  is  not.  Hence,  it  is  both  positive  and  negative.  Figure  2  shows  only  the 


8 


invertible  rule.) 

Goals  g  ::= 

Clauses  d  ::= 

Chunks  h  ::  = 

Policies  A  ::= 

Groups  H  ::  = 

Sequents  R  ::= 

L  ::  = 

N  ::  = 

F  ::  = 

Hypotheses  may  be  of  two  kinds.  Policies  A  contain  assumptions  of  the  the  forms  d  or 

k  claims  d,  whereas  groups  H  contain  chunks.  We  need  four  kinds  of  sequents  (labeled 

k 

R,L,N,F),  distinguished  by  the  portions  in  which  rules  are  applied.  In  R  sequents  S;  A  ^ 

g,  the  goal  is  decomposed  by  right  rules.  This  corresponds  to  principle  (1)  above.  In  L 
k 

sequents  S;A;H  g,  the  chunks  in  H  are  decomposed  using  left  rules.  In  N  sequents 
k 

S;  A  p,  which  cause  backward  chaining,  we  choose  a  clause  from  the  hypotheses  that 
can  be  decomposed  to  prove  the  atomic  goal  p,  decompose  the  clause,  and  prove  the 
resulting  subgoals.  This  corresponds  to  principle  (2)  above.  F  sequents  <C  p  | 
gi  ■ . .  gn  decompose  the  clause  d,  proving  atomic  goal  p,  which  is  an  input  and  generate 
subgoals  gi ...  gn,  which  are  outputs. 

The  rules  for  goal-directed  search  are  shown  in  Figure  3.  All  rules  are  applied 
backwards.  Search  starts  in  an  R  sequent  (it  may  start  in  an  L  sequent  if  the  hypotheses 
contain  chunks).  In  this  form,  right  rules  of  the  top-level  connective  of  g  are  successively 
applied  to  decompose  the  goal  to  atomic  formulas.  An  atomic  goal  transitions  to  an  N 
sequent  (rule  (atom)).  The  only  exception  to  this  is  the  rule  (aR),  which  introduces  a 
chunk  on  the  left  and  transitions  temporarily  to  an  L  sequent. 

In  an  L  sequent,  chunks  in  H  are  decomposed  using  left  rules  of  their  top  level 
connectives.  The  rules  may  be  applied  to  chunks  in  any  order.  Usually,  a  canonical  left- 
to-right  or  right-to-left  order  is  chosen.  Chunks  eventually  decompose  into  assumptions 
of  form  d  oi  k  says  d,  which  are  pushed  into  the  policies  A  in  the  forms  d  and  k  claims  d 
respectively  (rules  (pr)  and  (saysL)).  Eventually  H  becomes  empty,  there  is  a  transition 
to  an  R  sequent  (rule  (=^-^=)),  and  decomposition  of  the  goal  is  resumed. 

An  N  sequent  can  be  established  in  essentially  one  way:  find  a  suitable  clause  to 
prove  its  atomic  goal,  decompose  the  clause  using  left  rules  of  its  connectives  successively 
(judgment  S;  d  <C  p  |  <71 . . .  gn),  and  solve  the  generated  subgoals  gi . . .  gn-  There  are 
two  rules  to  prove  an  N  sequent,  one  where  the  clause  d  is  directly  picked  from  A  (Bl), 
and  another  where  the  clause  d  is  picked  from  an  assumption  k  claims  d  (B2).  In  the 
latter  case,  k  must  be  stronger  than  the  context  (else  the  assumption  k  claims  d  does 
not  entail  d  and  is  hence  not  usable). 

An  F  sequent  is  given  as  input  a  clause  d  and  a  formula  p.  It  is  provable  with  output 

5(1 ...  (7n  if  using  left  rules,  d  can  be  decomposed,  revealing  p  at  its  head.  In  general,  if 

k  k 

S;  d  <C  2?  I  d  E  A,  and  S;  A  — >  for  each  i,  then  S;  A  — >  p.  A  proof  of  an  F 

sequent  corresponds  to  a  single  step  of  left  foeusing. 


P  \  9i  ^  92  \  91'^  92  \  h  D  g  \  T  \  ±  \  Mx'.a.g  \  3x:a.g  \  k  says  g 
p  I  5  D  d  I  di  A  ^2  I  T  I  Mx'.a.d 
d  I  k  says  d  |  /ii  A  /i2  |  di  V  /12  |  T  |  T  |  3x:cr.d 
•  I  A,  d  I  A,  d  claims  d 

S;A45 

S;A  Ap 

S;  d  <C  p  I  . . .  fifn 
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R  sequents 


S;A4>p 

S;A4p 


atom 


S;A|  4g 
S;  A  ^  fc  says  g 


-saysR 


S;A4g  S;A4ff' 
S;A4gAg' 


AR 


S;A4g  S;A4g'  S;  A; /i  g' 

- 4 - ^VRi  - - ^VR2  - r - TR  - ^DR 

S;  A  4  g  V  g'  S;  A  4  g  V  g'  S;  A  4  T  S;  A  4  D  g' 


S,  x:ct;  a  =J>  g 

S;  A  4  Va;:cr.g 


VR 


S;  A  =J>  g[t/x]  S  h  Act 
S;  A  4  3x:(T.g 


3R 


L  sequents 


4A4g  _ 

S;A;-4g 


S;A,d;S4g 
S;A;S,d4g 


pr 


S;  A,  k  claims  d;^  ^  g 
S;  A;  S,  k  says  g 


saysL 


I];A;S,/i,/i'4g  S;A;S,/i4g  S;  A;  S, /i' 4  g  4  A;  S  4  g 

-AL  - ^ - V  L  - ^ — TL 


T,;  A;  h  A  h'  <=  g 


S;  A;  /i  V  h'  ^  g 


I];A;S,T4g 


4A;S,A4g 


-±L 


k 

S,  x'.a]  A;  /i  <^=  g 
S;  A;  S,  3x:a.h  4  g 


3L 


F  sequents 


I 


-init 


S;  di  <C  p  I  G 
S;  di  A  ^2  ‘C  p  I  G 


ALi 


S;  d2  <  P  I  G 
FjJ  di  A  d2  p  I  G 


AL2 


S;  ^2  'C  p  I  G 
i;;gi  D  d2  <P  I  9i,G 


DL 


S;  <C  p  I  G  S  h  Act 
S;  \/x:(7.d  <C  p  |  G 


VL 


N  sequents 


deA  S;(i<p  I  gi...g„  (S;A^gi)”^i 

S;A4p 


B1 


/c  claims  d  e  A  k  A  ko  S;  d  <C  p  |  gi  . . .  gn  (S;  A  4  gi)4i 

S;  A  4p 


B2 


Figure  3:  HH:  Goal-directed  search  (contd.) 
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Example  2.  We  revisit  Example  1  and  show  some  of  the  steps  in  constructing  a  proof 
of  access  using  goal-directed  search.  Let  us  call  the  set  of  policies  (I)-(IO)  from  the 
earlier  example  H  and  let  S  define  the  constants  used  in  the  policy.  We  start  goal- 
directed  search  with  the  L  sequent  S;  •;  H  -^=  admin  says  may(read,  Bob,  secret.txt),  where 
/co  is  an  arbitrary  principal  (we  may  choose  =  €).  Using  the  rules  (saysL)  and  (^<^), 

ko 

this  reduces  to  proving  S;  A  ^  admin  says  niay(read,  Bob,  secret.txt),  where  A  is  the  same 
as  H,  except  that  all  top-level  says  are  replaced  by  claims.  Since  this  is  an  R  sequent,  we 
must  use  the  rules  (saysR)  and  (atom)  in  order  to  get  S;  A  may(read.  Bob,  secret.txt) 
(note  that  A|  =  A).  Now  we  have  an  N  sequent,  hence  a  hypothesis  must  be  picked. 
The  only  clause  that  will  successfully  prove  the  goal  is  the  one  contained  in  policy  (1). 
We  call  this  clause  one  here.  Indeed  we  can  show,  S;  one  ^  may(read,  Bob,  secret.txt)  |  g, 
where 

g  =  hr  says  employee(Bob)  A  hasLevelForFile(Bob,  secret.txt)  A 

system  says  owns(Alice,  secret.txt)  A  Alice  says  may(read.  Bob,  secret.txt) 

Hence  the  rule  (B2)  may  be  used,  generating  the  following  premise  S;  A  g_  Only 
the  rule  (AR)  applies  to  this  R  sequent,  resulting  in  the  following  premises: 

S;  A  hr  says  eniployee(Bob) 

S;  A  hasLevelForFile(Bob,  secret.txt) 

S;  A  ^=5-'"  system  says  owns(Alice,  secret.txt) 

S;  A  Alice  says  may(read.  Bob,  secret.txt) 

We  show  further  only  how  the  first  of  these  premises  is  established.  Using  the  rules 

hr 

(saysR)  and  (atom),  we  obtain  S;  A  employee(Bob).  Now  we  may  use  the  clause  in 
policy  (8)  (call  it  eight).  Since  S;  eight  <C  employee(Bob)  |  •,  use  of  (B2)  generates 
no  new  premises,  and  the  proof  branch  closes. 

Observe  that  as  we  construct  the  proof  backwards,  the  context  changes,  e.g.,  from  ko 
to  admin  to  hr  above.  The  change  of  context  makes  new  assumptions  in  the  hypotheses 
usable  via  the  rule  (B2).  For  instance,  we  could  not  have  used  policy  (8)  when  the 
context  was  admin  because  it  is  not  the  case  that  hr  A  admin.  This  has  practical 
implications.  Since  the  claims  of  only  some  of  the  principals  are  usable  at  any  time 
(precisely,  those  principals  that  are  stronger  than  the  context),  a  prover  may  choose  to 
load  the  hypotheses  lazily.  In  the  above  illustration,  the  prover  may  choose  not  to  load 
the  policies  (1)  and  (2)  until  the  context  is  admin,  and  may  not  load  policy  (8)  until 
the  context  is  hr,  without  effecting  completeness.  This  may  be  very  useful  if  policies 
are  distributed  on  remote  servers.  In  that  case,  policies  may  be  “fetched”  on  demand 
depending  on  the  current  context. 

Eliminating  non-determinism.  The  proof  system  of  Figure  3  is  largely  determin¬ 
istic.  The  only  points  of  non-determinism  are:  (a)  Choosing  a  clause  in  rules  (Bl)  and 
(B2).  (b)  Choosing  between  rules  VRi  and  VR2.  (c)  Choosing  between  rules  ALi  and 
AL2.  (d)  Finding  appropriate  terms  t  in  rules  3R  and  VL.  Of  these,  (a),  (b),  and  (c) 
cause  backtracking  during  search,  which  can  be  reduced  significantly  in  practice  through 
clause  compilation  and  term-indexing  (see  e.g.,  [50]).  (d)  can  be  eliminated  completely 
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through  unification.  All  these  techniques  are  standard  in  logic  programming  and  apply 
to  BLq  without  modification,  so  we  do  not  discuss  them  further. 

Soundness  and  Completeness.  It  is  quite  easy  to  prove  by  induction  on  the  rules  of 
Figure  3  that  goal-directed  search  is  sound,  i.e.,  any  proof  it  constructs  can  be  simulated 
in  the  sequent  calculus.  The  converse,  completeness,  is  harder  to  prove  and  requires  a 
number  of  properties  about  the  sequent  calculus.  We  state  our  correctness  theorem 
below,  postponing  an  outline  of  lemmas  needed  for  completeness  to  Appendix  A. 

Theorem  3.1  (Correctness  of  goal-directed  search). 

k  k 

1.  Soundness:  If  T,]  A.  ^  g,  then  S;  A  — >  5 

k  k 

2.  Completeness:  //  S;  A  — »  <7,  then  S;  A  ^  <7. 

4  Saturating  Search  in  BLq 

Saturating  search  is  the  method  of  proof  construction  used  in  Datalog.  The  basic  tenet 
is  to  decompose  clauses  eagerly  by  left  rules,  adding  new  assumptions  to  the  hypotheses, 
without  any  regard  for  what  may  or  may  not  be  useful  in  proving  the  goal.  This  process 
of  adding  assumptions  is  called  forward  chaining.  After  enough  assumptions  have  been 
added  (or  when  no  more  can  be  added),  the  goal  is  decomposed.  Search  succeeds  if  each 
atomic  formula  produced  by  decomposing  the  goal  exists  in  the  hypotheses  else  it  fails. 
This  is  in  stark  contrast  with  goal-directed  search,  where  a  clause  is  decomposed  only  if 
its  head  matches  an  atomic  goal.  Saturating  search  is  useful  in  many  cases,  for  example 
when  all  possible  consequences  of  a  policy  are  needed. 

Like  goal-directed  search,  saturating  search  is  incomplete  for  the  whole  logic.  For 

k 

example,  it  cannot  be  used  to  prove  S;  Vx:(T.P(x)  — >  \/x:a.P{x).  Once  again,  we  identify 
a  fragment  of  BLq  on  which  saturating  search  is  complete.  For  the  lack  of  a  better  name, 
we  call  this  fragment  the  forward-Hereditary-Harrop  fragment  (FHH).  In  saturating 
search  the  entire  hypotheses  must  be  available  at  once;  the  lazy  strategy  for  loading 
hypothesis  on  demand  that  we  discussed  for  goal-directed  search  in  Example  2  does  not 
work  here. 

Forward-Hereditary-Harrop  Fragment  of  BLq.  The  syntax  of  FHH  is  shown 
below.  Goals  contain  only  positive  connectives,  and  the  heads  of  clauses  are  chunks, 
not  atomic  formulas.  Another  difference  from  HH  is  that,  in  the  hypotheses,  says  is 
restricted  to  atomic  formulas  and  all  atomic  formulas  must  be  enclosed  by  an  immediate 
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says.  These  restrictions  are  necessary  to  obtain  completeness. 


Goals  g 

:=  p\k  says  g  |  51  A  52  |  V  52  |  T  |  T  |  ^x'.a.g 

Clauses  d  : 

:=  /i  5  D  d  di  A  (^2  T  Mx'.a.d 

Chunks  h  : 

:=  k  says  p  /ii  A  /i2  V  /12  T  T  3x:a.h 

Policies  A  : 

:=  •  A,  d  A,  A:  claims  p 

Groups  H  : 

:=  •  H,/i 

Sequents  R  : 

:=  S;A>(7 

L  : 

:=  S;A;H^5 

N  : 

:=  S;AAp 

F  : 

:=  S;d  <C  d  1  51  . .  .5r„ 

As  before,  we  use  four  types  of  sequents  R,L,N,F.  However,  R  sequents  which  played 
a  central  role  in  goal-directed  search  have  a  secondary  role  here  and  occur  only  at  the 
leaves  of  the  derivation.  Instead  N  sequents  are  central.  The  context  k  changes  only  in 
R  sequents. 

Figure  4  summarizes  the  rules  for  saturating  search.  Search  starts  with  an  N  sequent, 
where  all  forward  chaining  happens  (search  may  start  with  an  L  sequent  if  the  hypotheses 
contain  chunks).  There  are  two  ways  to  prove  an  N  sequent.  Either  we  may  end  forward 
chaining,  and  transition  to  an  R  sequent  which  would  decompose  the  goal  (rule  (FI)), 
or  we  may  continue  forward  chaining  (rule  (F2)).  In  the  latter  case,  we  pick  a  clause 
d  from  the  hypotheses,  decompose  it  using  F  sequents  (premise  S;  d  <C  h  \  gi  -  ■  -gn)-, 
solve  the  goals  gi ...  gn,  and  then  decompose  the  chunk  /i  in  an  L  sequent.  This  has  the 
effect  of  adding  all  components  of  h  to  the  hypotheses,  and  constitutes  a  single  forward 
chaining  step. 

In  an  R  sequent,  we  decompose  a  goal  using  the  right  rule  of  its  top-level  connective, 
till  we  reach  an  atomic  goal.  At  this  point  we  simply  check  if  k'  claims  p  exists  in  the 
hypotheses  for  some  k'  k  (rule  (init)).  If  this  happens  to  be  the  case,  the  branch 
closes,  else  the  branch  fails.  As  a  result,  all  assumptions  needed  to  prove  the  leaves  of 
the  goal  must  be  directly  present  in  the  hypotheses  before  the  goal  is  decomposed. 

An  L  sequent  is  reached  from  an  N  sequent  (rule  (B2),  fourth  premise).  It  decomposes 
chunks  in  H  using  left  rules.  After  H  becomes  empty,  it  transitions  back  to  an  N  sequent 
(rule  and  forward  chaining  resumes.  This  is  slightly  different  from  goal-directed 

search  where  L  sequents  arise  from  R  sequents  and  lead  back  to  them. 

As  in  goal-directed  search  F  sequents  in  FHH  decompose  clauses.  However,  in  place 
of  taking  as  input  an  atomic  formula  to  prove,  they  produce  as  output  a  chunk.  The 
subgoals  gi ...  gn  are  outputs  as  before. 

Example  3.  Returning  to  our  running  example,  we  observe  that  the  syntax  used  in 
policies  (1)  and  (2)  is  outside  the  FHH  fragment.  Now  we  rewrite  these  policies  in  FHH. 
The  consequences  of  these  new  policies  (If  and  2f  below)  are  the  same  as  those  of  the 
original  ones.  We  formalize  this  equivalence  in  Section  5. 

\/k,k',f.  (((hr  says  employee(fe))  A  (admin  says  hasLevelForFile(/i;, /))  A 
(If)  (system  says  owns(fc',  /))  A  {k'  says  niay(read,  k,  /))) 

D  admin  says  niay(read,  k,  /)) 
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R  sequents 


k'  claims  p  G  A  k'  >  k 
- , - init 

S;A>p 


S;A| 


k' 


-saysR 


S;  A  fc  says  g 


S;  A  >>  g  S;  A  >>  g' 
S;  A  >  g  A  g' 


AR 


S;A  >  g 
S;  A  >  g  V  g' 


-V  Ri 


K  , 

S;  A  »  g' 
S;  A  >  g  V  g' 


-V  R2 


S;  A  >  T 


-TR 


S;  A  ^  g[t/x]  S  h  t:a 

k 

S;  A  ^  3a;:cr.g 


3R 


L  sequents 


S;A^g 

S;A;-^g 


S;  A,  k  claims  p-,^^g 
S;  A;  S,  k'  says  p  ^  g 


saysL 


S;  A;^,/i,  h'  ^  g 
S;  A;  S,  /i  A  ft-'  g 


AL 


S;A;S^g 

S;A;S,T^g 


TL 


S;A;S,ft^g  S;A;S,ft'^g 
S;  A;  S,  ft  V  ft'  g 


V  L 


S;A;S,A^g 


-AL 


k 

S,  x:a;  A;  ft  <^=  g 
S;  A;  S,  3x:a.h  g 


3L 


F  sequents 


S;  ft  <C  ft  I 


-blur 


S;  di  <C  ft  I  G 
A;  d'l  A  c?2  ki  I  G 


ALi 


S;  (i2  ft  I  G 
A;  di  A  (^2  ft  I  G 


AL2 


S;  fi2  ft  I  G 
S;gi  D  (i2  <  I  51.  G 


DL 


S;  <C  ft  I  G  S  h  Lct 
S;  Va;:cr.ci  <C  ft  |  G 


VL 


N  sequents 


S;A>g 
S;A  Ag 


FI 


ci  e  A  S;  (i  <C  ft  I  gi . . .  g„ 
(S;A>>g,)r=i  S;A;ftAg 
S;A  Ag 


F2 


Figure  4:  FHH:  Saturating  search 
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(2f) 


Vfc,  /,  I,  I' .  (((system  says  levelFile(/,  1))  A  (hr  says  levelPriii(A;,  I'))  A 

(admin  says  below(/,  I')))  D  admin  says  hasLevelForFile(A:,  /)) 

The  policies  (If),  (2f),  and  (3)-(10)  lie  in  FHH.  Let  us  call  the  set  of  these  policies 
H.  As  in  Example  2,  we  show  some  of  the  steps  in  proving  an  access  from  these  poli¬ 
cies.  At  the  top  level  we  want  to  prove  S;  4^  admin  says  may(read,  Bob,  secret.txt), 
where  ko  is  a  fresh  constant.  Using  the  rules  (saysL)  and  (444=) ,  this  reduces  to 
proving  S;A  4v-  admin  says  may(read,  Bob,  secret.txt),  where  A  is  the  same  as  H,  ex¬ 
cept  that  all  top-level  says  in  policies  are  replaced  by  claims.  Since  this  is  an  N 
sequent,  we  may  now  start  forward  chaining.  The  cardinal  rule  of  forward  chain¬ 
ing  is  that  a  clause  can  be  decomposed  only  if  the  subgoals  that  it  will  generate 
are  directly  provable  through  R  sequents.  (If)  does  not  satisfy  this  condition,  but 
(2f)  does.  Accordingly,  we  decompose  it  using  an  F  sequent.  It  is  easy  to  see  that 
S;  2f  <C  admin  says  hasLevelForFile(Bob,  secret.txt)  |  g,  where 

g  =  system  says  levelFile(secret.txt,  secret)  A 
hr  says  levelPrin(Bob,  topsecret)  A 
admin  says  below(secret,  topsecret) 


Thus  application  of  (F2)  produces  the  new  sequent  S;  A  5  in  the  third  premise.  Only 

^0 

the  (AR)  rule  applies  to  this  R  sequent,  resulting  in  the  following  premises:  (S;  A  ^ 

ko 

system  says  levelFile(secret.txt,  secret)),  (S;A  S>  hr  says  levelPrin(Bob,  topsecret)), 

ko 

and  (S;  A  ^  admin  says  below(secret,  topsecret)).  All  these  sequents  close  immediately 
by  the  rules  (saysR)  and  (init).  Hence  in  the  last  premise  of  (F2)  we  get  S;  A;  admin  says 

ko 

hasLevelForFile(Bob,  secret.txt)  4=  admin  says  may(read.  Bob,  secret.txt).  The  rules 
(saysL)  and  (444=)  must  now  be  applied  in  sequence  to  obtain  S;  A,  admin  claims 

kn 

hasLevelForFile(Bob,  secret.txt)  44  admin  says  may(read,  Bob,  secret.txt).  This  is  an 
N  sequent,  and  we  may  choose  to  use  (F2)  again,  decomposing  (If)  and  introducing 
the  assumption  admin  claims  may(read.  Bob,  secret.txt)  in  a  similar  manner.  The  rest 
of  the  proof  is  easily  constructed:  (FI)  is  used  to  shift  to  an  R  sequent,  which  closes 
immediately  by  rules  (saysR)  and  (init). 

A  salient  point  to  observe  here  is  that  the  clauses  decomposed  in  rule  (F2)  need  to  be 
guessed.  Further,  there  is  no  heuristic  to  determine  when  (FI)  should  be  used  instead  of 
(F2).  In  general,  a  reasonable  strategy  for  a  saturating  prover  is  to  keep  applying  (F2) 
until  no  new  hypotheses  can  be  generated.  At  that  point  (FI)  may  be  used  to  try  to 
close  the  proof.  When  the  objective  is  to  find  all  consequences  of  a  hypotheses,  a  goal 
is  not  provided  and  (FI)  is  never  used.  Instead,  the  saturated  A  is  the  output  of  the 
search.  Of  course,  this  may  result  in  non-termination  if  saturation  never  occurs. 

Soundness  and  Completeness.  Saturating  search  on  the  FHH  fragment  is  sound 
and  complete  with  respect  to  BLq’s  sequent  calculus.  Soundness  follows  by  a  straight¬ 
forward  induction  on  the  rules  in  Figure  4.  Completeness  is  quite  difficult  to  prove. 
Our  proof  extends  recent  work  by  Pfenning  and  Simmons  [48] .  We  state  the  correctness 
theorem  below,  deferring  a  description  of  the  major  steps  in  the  proof  of  completeness 
to  Appendix  B.  It  is  difficult  to  extend  FHH  and  maintain  completeness.  For  example. 
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allowing  goals  containing  D  or  V,  or  not  restricting  says  to  atomic  formulas  in  hypotheses 
results  in  incompleteness. 

Theorem  4.1  (Correctness  of  saturating  search). 


1.  Soundness:  //  S;  A  A  g,  then  S;  A  51 

k  k 

2.  Completeness:  //  S;  A  — »  <7,  then  S;  A  44  <7. 


5  Prom  Goal-directed  Search  to  Saturating  Search  and 
First-Order  Logic 

We  consider  a  subfragment  of  HH,  and  show  that  it  admits  a  sound  and  complete 
translation  to  FHH.  Policies  written  in  this  fragment  can  therefore  be  used  with  both 
kinds  of  provers:  they  may  be  given  directly  to  goal-directed  provers  for  HH,  and  via  the 
translation  they  may  also  be  given  to  saturating  provers  for  FHH.  We  go  a  step  further 
and  show  that  this  smaller  fragment  also  admits  a  sound  and  complete  translation 
to  intuitionistic  first-order  logic.  Thus  we  may,  in  fact,  use  first-order  provers  on  the 
fragment.  The  two  translations  are  quite  similar  and  we  present  them  side  by  side.  We 
call  this  smaller  fragment  of  BLq  Horn,  because  it  looks  similar  to  the  Horn  fragment 
of  first-order  logic. 

Horn  fragment  of  BLq.  The  syntax  of  the  Horn  fragment  is  shown  below.  We 
restrict  goals  to  only  positive  connectives,  while  clauses  contain  only  negative  connec¬ 
tives.  Hypotheses  are  always  of  the  form  k  claims  d.  It  is  easy  to  check  that  this  is  a 
subfragment  of  HH  and  hence  a  complete  goal-directed  search  strategy  exists  for  it. 


Goals  g 
Clauses  d 
Policies  A 


p  I  k  says  5  |  51  A  52  |  V  52  |  T  |  _L  |  3x:a.g 
p  I  Mx'.a.d  I  5  D  d  I  T  I  di  A  ^2 


A,  k  claims  d 


Despite  its  simplicity,  the  Horn  fragment  is  quite  expressive.  For  instance,  the  example 
presented  in  this  paper  as  well  as  the  full  policy  from  which  it  is  derived  can  be  expressed 
in  this  fragment  through  only  very  minor  changes.  It  is  our  belief  that  this  fragment  is 
expressive  enough  to  express  most  policies  of  interest. 

Translations.  We  assume  that  every  predicate  in  BLq  corresponds  to  a  predicate  of 
the  same  name  in  first-order  logic  that  takes  one  extra  argument.  For  translating  _L, 
we  also  assume  a  new  predicate  contra  in  first-order  logic,  which  is  not  used  by  any 
policy.  Figure  5  lists  the  translations  (•)  and  [•]  from  the  Horn  fragment  to  FHH  and 
intuitionistic  first-order  logic  respectively.  In  both  cases  we  use  auxiliary  translations 
that  are  indexed  by  a  principal  k.  This  k  is  the  principal  in  the  nearest  says  or  claims 
outside  the  formula  being  translated. 

The  central  “trick”  of  the  translation  to  FHH  is  to  push  the  says  connective  down 
to  atomic  formulas.  That  this  simple  idea  works  for  a  reasonably  large  fragment  was 
surprising  to  the  author.  It  was  not  obvious  a  priori  that  the  nature  of  the  says  modality 
could  be  captured  by  pushing  it  to  the  leaves.  We  note,  however,  that  the  translation 
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FHH 


First-order 


Goals 

{P{ti  .  ..tn))k 

=  k  says  P{ti . .  .tn) 

[P(tl  .  ..tn)jk 

II 

{k'  says  g)k 

=  {g)k' 

W  says  gjk 

=  Igjk' 

{gi  A  g2)k 

=  {gi)k  A  {g2)k 

{gi  A  g2jk 

=  {gijk  A  lg2jk 

{gi  V  g2)k 

=  {gi)k  V  {g2)k 

{gi  V  g2jk 

=  Igijk  V  lg2jk 

iVk 

=  T 

rifc 

=  T 

{^)k 

=  k  says  T 

[-Llfc 

=  contra(/c) 

{3x:a.g)k 

=  3x:a.{g)k 

I3x:a.g}k 

=  ^x-.a.lgjk 

Clauses 

{P{ti  .  ..tn))k 

=  k  says  P{ti . .  .tn) 

[P(tl  .  ..tn)jk 

=  P{k,ti...tn) 

{yx:a.d)k 

=  \/x:a.{d)k 

{yx-.a.djk 

=  Vx:cj.[d]fc 

{g  A  d)k 

=  {g)k  A  {d)k 

{g  A  djk 

=  [dlfc  A  {djk 

iVk 

=  T 

rifc 

=  T 

{di  A  d2)k 

=  {di)k  A  {d2)k 

[di  A  d2jk 

=  [dijfc  A  [d2l|fc 

Policies 

(•) 

= 

H 

= 

(A,  k  claims  d) 

(A),(d). 

[A,  k  claims  d] 

=  [A],[d]fc 

Figure  5:  Translations  from  the  Horn  fragment  to  FHH  and  intuitionistic  logic 

does  not  extend  to  significantly  larger  fragments.  In  particular,  allowing  either  hypothe¬ 
ses  of  the  form  d  true  or  other  connectives  in  goals  makes  the  translation  unsound.  The 
first-order  translation  is  a  mild  extension  of  the  FHH  translation  based  on  the  obser¬ 
vation  that  k  says  p  behaves  atomically  in  FHH  (modulo  the  effects  of  A:  ^  k').  As  a 
result,  k  says  P{ti  ■  ■  -  tn)  can  be  replaced  by  H(/c,  H  . . .  t„). 

The  effects  of  the  order  k  P  k'  on  principals  need  to  be  incorporated  explicitly  in 
the  first-order  translation.  We  do  this  by  assuming  the  following  theory  during  proof 
search. 

O  =  {(VT.  P{k,x)  D  P{k'  ,x))  \kPk',  P  is  a  predicate} 

Given  this  theory,  k  P  k'  entails  {{k  says  P{ti . .  .tn))  A  {k'  says  P{ti . .  .tn))lfco 
kf).  This  is  sufficient  to  recover  the  effects  oi  k  P  k'  in  the  translation.  In  order  to  keep 
O  finite,  we  assume  that  the  set  of  predicates  and  the  relation  P  are  both  finite.  These 
assumptions  are  reasonable  in  any  realistic  scenario. 

Theorem  5.1  (Correctness  of  Translations).  The  following  are  equivalent  for  any  poliey 
A  and  any  goal  g  in  the  Horn  fragment. 

1.  T,]  A  ^  g  by  the  rules  of  HH. 

2.  S;  (A)  4^  {g)k  by  the  rules  of  FHH. 

3.  S;  [A],  O  h  [s']*:  in  first-order  intuitionistie  logie. 

Proof.  Since  we  have  already  proved  equivalence  between  HH  (resp.  FHH)  and  the 

sequent  calculus,  it  suffices  to  prove  that  S;  A  (resp.  S;  (A)  {g)k)  is  equivalent 

to  (3).  In  each  case,  and  in  each  direction,  this  follows  by  a  direct  induction  on  given 
derivations.  The  inductions  are  easier  if  we  subinduct  on  the  size  of  g,  and  case  analyze 
principal  formulas  in  the  last  rules  of  the  derivations.  □ 


17 


Example  4.  If  we  replace  all  top-level  says  in  the  policies  of  Example  1  by  claims 
(a  change  which  has  no  effect  on  the  consequences  of  the  policies),  then  the  resultant 
policies  lie  in  the  Horn  fragment.  The  transformation  for  policies  (1)  and  (2)  considered 
in  Example  3  is  exactly  the  effect  of  the  translation  (•).  As  a  result,  (If)  and  (2f)  have 
the  same  consequences  as  (1)  and  (2).  It  is  also  easy  to  check  that  the  access  considered 
in  earlier  examples  may  be  derived  after  translation  to  first-order  logic. 

Connection  to  Binder  and  Soutei.  The  policy  language  Binder  [23]  contains  a  says 
modality  that  is  extremely  similar  in  nature  to  says  in  BLq.  In  fact.  Binder  is  almost  a 
proper  subset  of  the  Horn  fragment  of  BLq,  the  only  exception  being  that  Binder  allows 
says  over  clause  heads.  The  semantics  of  Binder  are  defined  by  a  translation  to  Datalog, 
that  uses  the  same  technique  as  the  translation  from  the  Horn  fragment  to  first-order 
logic  -  principals  are  made  arguments  to  predicates  that  occur  under  their  statements. 
We  believe  that  the  above  translation  to  first-order  logic  justifies  the  logical  correctness 
of  this  implementation  technique. 

Soutei  [49]  is  a  dialect  of  Binder  that  uses  goal-directed  search  instead  of  the  satu¬ 
rating  search.  Soutei  is  a  proper  subset  of  the  Horn  fragment  of  BLq,  because  it  does 
not  allow  says  on  clause  heads  that  Binder  does,  and  its  provability  coincides  with  that 
of  BLq.  As  a  result.  Theorem  5.1  provides  formal  evidence  that  Soutei  is  indeed  an  im¬ 
plementation  of  Binder,  and  that  (on  their  common  fragment)  they  authorize  the  same 
accesses. 

6  Implementation  and  Open  Issues 

We  have  implemented  the  goal-directed  search  for  HH  described  in  Section  3.  Our  imple¬ 
mentation  also  supports  a  hybrid  modality  to  represent  time  explicitly  [24],  constraints, 
and  system  state,  and  it  produces  explicit  proof-terms.  The  implementation  is  less  than 
500  lines  of  SML  code,  and  follows  a  generic  structure  for  logic  programming  engines 
described  by  Pfenning  and  Elliott  [25].  The  implementation  is  quite  fast.  For  exam¬ 
ple,  in  the  case  of  policies  for  controlling  classified  information,  all  proofs  that  we  have 
seen  so  far  can  be  constructed  in  less  than  300ms  on  a  2.4GHz  Core  2  Duo  machine. 
Some  of  these  proofs  are  quite  large,  containing  approximately  1100  rule  applications 
and  nearly  70  hypotheses.  Further,  these  figures  are  conservative  because  we  have  not 
yet  implemented  any  optimizations  such  as  residuation  and  term  indexing. 

We  have  also  implemented  goal-directed  search  as  well  as  a  proof  verifier  for  BLq  in 
the  logical  framework  Twelf  [47].  We  provide  online  both  our  implementations  and  the 
full  case  study  from  which  the  examples  of  this  paper  are  derived  [28] . 

Open  Issues  and  Future  Work.  A  very  relevant  issue  that  we  have  not  addressed 
here  is  termination.  For  most  applications,  it  is  useful  to  have  a  guarantee  that  the 
prover  will  terminate.  It  seems  likely  that  mode  and  termination  checking  (for  e.g.,  as 
implemented  in  Twelf)  can  be  used  to  statically  rule  out  policies  on  which  goal-directed 
search  may  not  terminate.  For  saturating  search,  it  is  hard  to  prove  termination,  except 
on  simple  fragments  such  as  Datalog.  It  may  be  interesting  and  extremely  useful  to 
study  this  problem  further. 
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Another  possibility  not  considered  here  is  meaningful  combination  of  backward  and 
forward  chaining  in  the  same  procedure.  This  is  beneficial  because  predicates  whose 
proofs  are  reused  often  can  be  forward  chained  and  others  can  be  backward  chained 
to  improve  efficiency.  This  kind  of  a  mixed  search  strategy  is  known  to  be  complete 
for  intuitionistic  logic  [20],  and  we  expect  that  the  same  results  will  extend  to  BLq.  In 
ongoing  work,  we  are  also  extending  the  results  of  this  paper  to  the  larger  logic  BL, 
which  contains  both  explicit  time  and  constraints.  The  interaction  between  the  two  is 
non-trivial,  especially  in  the  case  of  saturating  search. 

7  Conclusion 

We  have  introduced  BLq,  an  authorization  logic  with  an  unusual  but  useful  says  modality, 
and  identified  fragments  of  the  logic  that  admit  complete  goal-directed  and  saturating 
proof  search  strategies.  Given  that  these  strategies  exist,  the  next  step  would  be  to  apply 
them  to  meaningful  problems.  We  are  currently  considering  many  such  applications 
including  an  implementation  of  proof-carrying  authorization  in  a  file  system,  which  uses 
goal-directed  search,  and  policy  compilation  to  low  level  permissions  that  uses  saturating 
search. 
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A  Proof  of  Theorem  3.1 


We  summarize  the  basic  steps  in  the  proofs  of  soundness  and  completeness  of  goal- 
directed  search  on  HH. 

Theorem  A.l  (Soundness).  The  following  hold. 

1.  S;  A  A  <7  implies  T,-,A-^g 

2.  T,;  A;E  ^  g  implies  T,;  A,E  ^  g 

3.  S;  A  A  p  implies  S;  A  p 

k  k 

4.  S;  d  <C  p  I  5^1  . . .  Qn,  d  E  A,  and  S;  A  — >  imply  S;  A  — >  p 

Proof.  We  first  prove  (4)  by  induction  on  the  derivation  of  S;  d  <C  p  |  51 . . .  gn-  (1),  (2), 
and  (3)  follow  by  simultaneous  induction  on  the  given  derivations,  using  (4)  in  the  cases 
of  rules  (Bl)  and  (B2).  □ 

Completeness  of  goal-directed  search  is  harder  to  establish.  We  define  and  prove 
invertibility  of  rules  in  the  sequent  calculus,  and  use  that  to  prove  completeness. 

Definition.  A  connective  is  called  strongly  invertible  on  the  right  if  there  is  a  right 
sequent  calculus  rule  for  the  connective  whose  premises  can  be  established  by  shorter 
derivations  whenever  its  conclusion  can  be.  A  connective  is  called  strongly  invertible 
on  the  left  if  the  premises  of  all  its  left  sequent  calculus  rules  (without  the  principal 
formulas)  can  be  established  by  shorter  derivations  whenever  their  conclusions  can  be. 

Lemma  A. 2  (Invertibility).  The  following  hold  for  the  sequent  ealeulus  in  Figure  2. 

1.  The  eonneetives  A,V,  D  are  strongly  invertible  on  the  right. 

2.  The  eonneetives  V,  3,  says  are  strongly  invertible  on  the  right  if  hypotheses  are 
restrieted  to  HH  polieies  (A)  only. 

3.  The  eonneetives  V,  3,  A,  says  are  strongly  invertible  on  the  left. 

k 

4.  //  B;  A  — >  p,  then  there  is  a  elause  d  and  formulas  gi ...  gn  sueh  that 

(a)  Either  d  €  A  or  for  some  k' ,  k'  claims  d  €  A  and  k'  ^  k. 

(b)  B;d  <  p  I  Pi  .  ..gn- 

k 

(e)  B;  A  — >  Pi  by  shorter  derivations  for  1  <  i  <  n. 

Proof.  In  each  case  we  induct  on  given  derivations.  In  (1),  (2),  and  (3),  a  separate 
induction  is  needed  for  each  connective.  □ 

Theorem  A. 3  (Completeness).  The  following  hold. 

1.  //  B;  A  g,  then  B;  A  A  p 

2.  If  B;  A,  H  g,  then  B;  A;  H  p 
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3.  //  S;  A  p,  then  S;  A  A  p 

Proof.  We  use  a  simultaneous  induction  on  the  depth  of  the  given  derivations.  For 
given  derivations  of  same  depth,  we  assume  the  suborder  (2)  >  (1)  >  (3),  freely  using 
(3)  inside  proofs  of  (1),  and  (1)  inside  proofs  of  (2).  The  proof  proceeds  through  case 
analysis  on  g  in  (1),  and  on  formulas  in  H  in  (2),  using  Lemma  A. 2.  □ 

B  Proof  of  Theorem  4.1 

In  this  appendix,  we  outline  a  proof  of  completeness  of  saturating  search.  Soundness  is 
easy  to  prove,  we  only  need  to  induct  on  derivations  of  Figure  4.  To  prove  that  saturating 
search  on  FHH  is  complete,  we  construct  an  intermediate  weak  foeusing  system  (WF) 
for  FHH.  Then  we  show  that  any  sequent  calculus  proof  (over  the  FHH  fragment)  can  be 
simulated  in  WF,  and  finally  show  that  any  proof  in  WF  can  be  simulated  in  FHH.  WF 
is  similar  to  the  saturating  system  in  Figure  4,  but  does  not  contain  L  sequents.  Instead 
it  allows  left  rules  on  chunks  to  be  applied  at  any  time.  This  technique  is  adapted  from 
work  by  Pfenning  and  Simmons  [48]. 

Weak  focusing  system.  The  syntax  of  formulas  for  WF  is  the  same  as  FHH.  The 
hypotheses  A  and  H  are  merged  into  one  set,  which  we  denote  'L. 


Hyps 

4' 

::=  •  4',  A:  claims  p  'k,  d  'k,  /i 

Sequents 

R 

::=  S;4/^[5] 

N 

::=  S;4/^5 

F 

::=  S;4/,[d]^5 

We  use  three  judgments  R  (right  focus),  N  (neutral),  F  (left  focus).  Instead  of  using 
different  sequent  arrows,  we  indicate  the  type  of  sequent  by  putting  the  formula  in  focus 
in  square  brackets  [•].  The  rules  are  shown  in  Figure  6.  WF  admits  some  obvious 
structural  rules,  that  we  do  not  state  explicitly. 

From  the  Sequent  Calculus  to  WF.  First,  we  prove  that  any  proof  in  the  sequent 
calculus  can  be  simulated  in  WF.  In  order  to  do  that,  we  need  to  show  that  most  rules 
of  sequent  calculus  are  admissible  in  N  sequents  in  WF. 

Lemma  B.l  (Rule  admissibility).  The  following  hold  for  WF. 

k 

1.  k'  claims  p  G  'k  and  k'  '^k  imply  S;  'k  p 

k  k' 

2.  S;  'kj  g  implies  S;  'k  k  says  g 

3.  S;  ^  gi  and  S;  4'2  ^  92  imply  S;  4'i,  4'2  ^  91  A  92 

k  k 

4.  S;  'k  gi  implies  S;  'k  gi  V  92 

k  k 

5.  S;  'k  g2  implies  S;  'k  gi  V  g2 

6.  S,  x:a]  'k  g  implies  S;  'k  Mx'.a.g 
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R  sequents 


k'  claims  p  G  'i>  k'  >k 

S;  VI/  ^  [p] 


init 


Sjvl'l  ^[g] 

S;  vl/  [k  says  g] 


-saysR 


S;  vl/  ^  [g]  S;  vl/  ^  [g'] 
S;vI/^[g]A[g'] 


AR 


S;^^[g] 

S;  VI/  ^  [5  V  g'] 


-V  Ri 


S;  VI/  ^  [5  V  g'] 


-V  R2 


S;  VI/  ^  [T] 


-TR 


S;  vl/  [g[t/a:]]  S  h  t.a 
S;  ^  [3x:cr.g] 


3R 


N  sequents 


S;^^[g] 

S;vl/^g 


FI 


dG'H  S;  [d]  ^  g 
S;vl/^g 


F2 


/  ^ 

S;  vl/,  k  claims  p  g 

S;  vl/,  A:  says  p  g 


saysL 


S;vl/,//,fe'^g 
S;  /i  A  /i'  ^  g 


AL 


S;^^g 

S;vI/,T^g 


TL 


S;vl/,±^g 


-±L 


S;^,/i^g  S;^,fe'^g 

S;  vl/,  ft,  V  h'  g 


V  L 


S,  x:(j\  vl/,  ft  g 

S;  vl/,  3a;:cr.ft  g 


3L 


F  sequents 


S;  VI/,  [ft]  ^  g 


blur 


S;  Vl/,  [rfi]  ^  g 
S;  [fti  A  d2]  g 


-ALi 


S;vl/,[ft2]^g 

S;  [(ii  A  (^2]  ^  g 


-  ALo 


S;  Vl/  ^  [gi]  S;  'f,  [d^]  ^  g 
S;  [gi  D  ci2]  ^  g 


DL 


E;  [(i[t/x]]  =>  ^  Yi\-  t:a 
S;  vl/,  [Va;:(T.(i]  =4>  g 


VL 


Figure  6:  WF:  Weak  focusing  system  for  FHH 
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7.  S; g[t/x\  and  S  h  t:a  imply  S;  'I'  ^x'.a.g 

k  k 

8.  S;  'I',  di,  d2,  di  A  d2  g  implies  S;  di  A  d2  g 

9.  D  d2  ^  gi  and  S;^'2,d2,5i  ^  <=^2  ^  9  imply  S;  ^'2, 51  ^  <^2  ^  9- 


k  k 

10.  S;  'i/,\/x:a.d,d[t/x]  g  and  S  h  t:a  imply  S;  '^yx'.a.d  g. 

Proof. 

1.  We  have  the  following  direct  derivation 


k'  claims  p  G  A  k'  k 


INIT 

FI 


2.  The  only  rule  that  may  derive  S;'I'|  g  is  FI.  This  is  because  'I'|  only  has 

assumptions  of  the  form  k'  claims  p,  so  no  left  rule  applies.  Hence  it  follows  that 

k  k' 

we  must  have  S;  ihl  [g]  (premise  of  FI).  By  rule  (saysR),  S;  iF  [k  says  g]^ 

k' 

and  by  FI,  S;  iF  k  says  g. 

3.  We  generalize  the  statement  of  (3),  adding  the  following  two  new  hypothesis: 

(a)  S;  ^  gi  and  S;  ^'2,  [d]  ^  52  imply  S;  ^'2,  [d]  ^  51  A  52 

(b)  S;  [d]  ^  gi  and  S;  ^'2  ^  92  imply  S;  ^'2,  [d]  ^  5i  A  92 

All  three  statements  follow  by  a  simultaneous  induction  on  the  two  given  deriva¬ 
tions. 

4.  We  generalize  the  statement  of  (4),  adding  the  following  new  hypothesis: 

(a)  S;  4^,  [d]  ^  gi  implies  S;  4',  [d]  ^  gi  V  52 
Both  statements  follow  by  a  simultaneous  induction  on  given  derivations. 

5.  Same  technique  as  (4). 

6.  Same  technique  as  (4). 

7.  Same  technique  as  (4). 

8.  We  generalize  the  statement  of  (8),  adding  the  following  new  hypothesis: 

k  k 

(a)  S;  4^,  di,d2,  di  A  d2  [g]  implies  S;  4^,  di  A  ^2  [5] 

k  k 

(b)  S;  4^,  di,  d2,  di  A  d2,  [d]  g  implies  S;  4^,  di  A  d2,  [d]  g 
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(a)  follows  by  induction  on  the  given  derivation.  Next,  we  prove  (8)  and  (b)  by 
simultaneous  induction  on  given  derivations,  using  (a)  for  the  case  of  rule  (FI). 
The  only  other  interesting  case  is  when  the  given  derivation  is  the  following: 


k 

S;  A,  di,  d2,  di  A  d2,  [di]  g 

k 

T.]A,di,d2,di  A  d2  g 

k 

By  i.h.  on  premise,  S;  A,  di  A  d2,  [di]  g-  By  rule  (A  Li),  S;  A,  di  A  d2,  [di  A 
d2]  ^  g-  By  rule  (F2),  S;  A,  di  A  d2  ^  g. 

9.  We  generalize  the  statement  of  (9),  adding  the  following  hypothesis 

k  k 

(a)  S;^',d2,5fi  D  d2  [5]  implies  D  d2  [g]. 

(b)  D  d2  ^  [51]  and  S;^'2,d2,fl'i  D  d2  ^  g  imply  S;  ^'i,  ^'2, 51  ^ 
T  fc, 

d2  ^  g- 

(c)  D  d2  ^  [51]  and  S;^'2,d2,5i  ^  d2,  [d]  ^  g  imply  S;^'i,4'2,5i  ^ 
d2,  [d]  g. 

(d)  D  d2,[d]  ^  gi  and  S;^'2,d2,5i  ^  d2  ^  g  imply  S;^'i,^'2,5i  ^ 
d2,  [d]  ^  g. 

(a)  follows  by  induction  on  the  given  derivation,  (b)  and  (c)  follow  by  simultaneous 
induction  on  the  second  given  derivations,  using  (a)  when  the  derivation  ends 
in  rule  (FI).  (9)  and  (d)  follow  by  simultaneous  induction  on  the  first  given 

derivation,  using  (b)  and  (c)  when  the  derivation  ends  in  rule  (FI). 

10.  We  generalize  the  statement  of  (10),  adding  the  following  two  new  hypothesis: 

(a)  S;  ih,  Vx:cj.d,  d[t/a:]  [g]  and  S  h  t'.a  imply  S;  ih,  Vx:iT.d  [s']. 

(b)  S;  ih,  Vx:cJ.d,  d[t/x],  [d'j  g  and  S  h  t:a  imply  S;  'h,Vx:(T.d,  [d'j  g. 

(a)  follows  by  induction  on  the  given  derivation.  (10)  and  (b)  then  follow  by  a 
simultaneous  induction  on  given  derivations,  using  (a)  for  the  case  of  rule  (FI). 

□ 

We  can  now  prove  that  on  the  FHH  fragment  of  BLq,  the  sequent  calculus  can  be 
simulated  in  WF.  We  define  a  class  of  regular  sequents  as  follows. 

k 

Definition.  A  sequent  S;F  — >  s  is  called  regular  if: 

1.  s  is  an  FHH  goal  g. 

2.  F  contains  assumptions  of  the  following  forms  only 

(a)  FHH  clauses  d 

(b)  FHH  chunks  h 
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(c)  fc' claims  p 

(d)  p,  where  for  some  k'  ^  k,  k'  claims  p  G  F. 

Further  if  F  is  regular,  we  define  Ft  to  be  its  largest  subset  that  does  not  contain 
any  atoms.  Note  that  Fj  is  always  a  valid  hypotheses  in  WF  (i.e.,  it  is  of  the  form  'F). 

k 

Lemma  B.2  (Weak  completeness).  //S;  F  s  is  regular,  and  provable  in  BLq ’s  sequent 
ealeulus,  then  S;Ft=^  g  in  WF. 

k 

Proof.  We  induct  on  the  depth  of  the  derivation  of  S;F  — >  s.  We  case  analyze  the  last 
rule  of  the  derivation.  For  the  rules  (V  L),  (3L),  and  (says  L)  and  (A  L)  applied  to  a 
chunk,  we  first  appeal  to  Lemma  A. 2. 3,  apply  the  i.h.  to  the  smaller  derivation,  and 
then  apply  the  corresponding  rule  in  WF.  Case  (-LL)  follows  by  the  corresponding  rule 
in  WF.  Case  (TR)  follows  by  rules  (TR)  and  (FI)  in  WF.  For  (A  L)  applied  to  a  clause, 
we  use  Lemma  B.1.8.  The  remaining  cases  except  (init)  and  (claims)  also  follow  from 
Lemma  B.l.  The  cases  (init)  and  (claims)  are  shown  below. 

Case.  - - — init 

S;F,pAp 

By  the  assumption  of  regularity,  for  some  k'  A  fc,  k'  claims  p  G  F.  Clearly, 

k 

k  claims  p  G  F  |.  Hence  by  Lemma  B.1.1,  S;  F  |  p. 

k  ko  S;  F,  A;  claims  s,  s  r 
Case.  - - - claims 

S;  F,  k  claims  s  — ^  r 

By  assumption  of  regularity,  s  must  be  an  atom.  It  follows  that  (F,  k  claims  s,  s)  |= 

kn 

(F,  k  claims  s)|.  Therefore,  by  i.h.  on  the  premise,  S;  (F,  k  claims  s)t=^  r.  □ 

Prom  WF  to  FHH.  Next  we  show  that  every  proof  in  WF  can  be  simulated  in 
FHH.  Completeness  of  saturating  search  follows  immediately  from  this  and  the  preceding 
lemma. 

Lemma  B.3  (WF  to  FHH).  The  following  hold  for  WF  and  FHH. 

1.  S;  A,  E  g  implies  S;  A;  H  p 

2.  S;  A  g  implies  S;  A  A  g( 

k 

3.  S;  A,  [d]  g  implies  that  there  exist  gi  . . .  gn  and  h  sueh  that  S;  d  <C  |  51  . . .  gn, 
S;  A  >>  Pi  and  T,;  A]  h  g 

k  ^ 

4.  S;  A  =^>  [g]  implies  S;  A  5 

Proof.  All  statements  follow  by  a  simultaneous  induction  on  given  derivations.  □ 

Theorem  B.4  (Completeness).  //S;  A  — >  ^  in  BLq^s  sequent  calculus,  then  S;  A  ^ 
in  FHH. 

k  k 

Proof.  Assume  that  S;  A  — >  p.  Since  S;  A  — >  is  always  a  regular  sequent,  and  A|=  A, 
by  Lemma  B.2  we  get  S;  A  g  in  WF.  Hence  by  Lemma  B.3. 2,  S;  A  A  p  in  FHH.  □ 
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